Windows DHCP server loaded CallOut DLL

This rule is part of a beta feature. To learn more, contact Support.
windows

Classification:

attack

Tactic:

TA0005-defense-evasion

Technique:

T1574-hijack-execution-flow

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects when a DHCP server loads a CallOut DLL, which can be used by attackers to execute malicious code with SYSTEM privileges.

Strategy

This rule monitors Windows Event ID 1033 from the Microsoft-Windows-DHCP-Server provider. The event indicates that a DHCP server has loaded a CallOut DLL, which is a mechanism that allows for custom extension of DHCP server functionality. Loading a CallOut DLL is a rare occurrence in most environments and can be abused by attackers to execute malicious code with elevated privileges as the DHCP service typically runs with SYSTEM privileges. This technique allows an attacker to hijack the execution flow by inserting a malicious DLL that gets loaded by a legitimate process.

Triage & Response

  • Verify if the loaded DLL is expected in your environment and approved by the administrator.
  • Analyze the CallOut DLL file for suspicious characteristics including digital signatures, file creation date, and file location.
  • Review recent changes to DHCP server configuration that may have enabled the CallOut DLL functionality.
  • Check for any related suspicious process activity around the time the DLL was loaded.